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A method of writing data to non-volatile memory such as electrically erasable programmable read only memory (EEPROM) in a 
smart card provides a write stams region of EEPROM which is examined on each reset of the card. If the preceding write operation was 
unsuccessful, perhaps because of deb-berate manipulation of the card, a recovery procedure is hnplemented. If recovery is successful the 
card ai^lication can be ran. Otherwise the card is unusable. 
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EftM WRTTTN(^ TO MnM-voT.aTT,.,. f.^ ^ 

The inventic, relates to the writing of data to 
voiatlle memory. Non-volatile memory is memory 
"hich retains data without electrical power being 
rna.ntalned. m particular, the Invention relates to 
the writing of data to memory in transportable 
integrated circuit devices which are used in 
con:u„ction with terminal devices with which they are 
temporarily coupled for data input and output An 
example of such a transportable device is the 
integrated circuit card <ICC,, otherwise .nown as a 
smart card" . d 

to a ZT- -^^"^ °' " interface 

reset "'"^"^ = - a 

reset signal and serial data signals may be applied to 

the card Generally the interface incorporates a set 

Of electrical contacts for direct temporary electrical 

connection. However, contactless Interfaces employing 

electromagnetic induction techni,ues for the 

application of power have been proposed. In such an 

arrangement cloC, reset and data signals may be 

coupled electromagnetically or by infra-red or ultra! 

sonrc techniques. Transportable Integrated circuit 

devrces may be embodied in toKens of other than card 

Shape. Regardless of shape, such devices will be 

referred to herein as integrated circuit cards ,ICCs, . 

the ICC may be Interfered with by disturbing the 
interface during writing whereby transients or failure 
in power, reset or cloc. signals may result in an 
erroneous write. 

is nart""' ""P^^"""" "-^ich the invention 

35 applicable is in a financial value or 

35 electronic cash- transfer system. Here, data in 
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s.art cards represents value which can .e transferred 
on-line with banks and off-line between cards. Such 
syste. is described in patent applications Nos. 
W091/16691 and WO93/08545. It is clearly important .n 
such applications to avoid the effects of erroneous 
data writing, either accidental or perhaps deliberate- 
ly instigated by manipulation of power or data Ixnes. 
The present invention provides a solution. 

According to the invention there is provided a 
method of writing data to non-volatile memory in an 
integrated circuit device, the device having an 
interface for temporary connection to a terminal unxt; 
a microprocessor; random access memory and non- 
volatile memory, the method consisting in allocating a 
first region of the non-volatile memory for data to be 
written, allocating a second region of non-volatile 
memory for write status information to be written, 
performing a data write operation to write data to 
said first region, and writing information to said 
second region signifying a valid data write if, and 
only if, the data write operation is performed satis- 
f actorily . 

in a microprocessor environment there are many 
copy and write procedures for transferring data and 
program information between regions of RAM and from 
RAM to EEPROM, for example, and vice versa. At the 
operating system level or higher there are usually 
verification techniques available for verifying the 
validity of a copy or write operation. This may 
involve an automatic comparison of the copied or 
written material with the original or, more usually, 
the provision of a checksum routine which adds one or 
more checksum bits to the data which, in accordance 
with a particular algorithm, provide a link to the 
data which can be verified to ensure that no write or 
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copy computation has taken place. If corruption is 
detected the operation can be repeated until 
satisfactory. The present invention is not concerned 
with such techniques and is additional to them, where 
5 provided. However, such inbuilt techniques can be 
used as the basis for determining whether the write 
operation has been performed satisfactorily in order 
to write the appropriate information into the said 
second region of memory. Thus, for example, if data 
10 is successfully written to an ICC with inbuilt write 
verification techniques present then the conclusion of 
the write process can be taken as indication of a 
satisfactory write to allow appropriate data to be 
written to the second region of memory. 
15 The type of non-volatile memory currently used 

in most smart cards is electrically erasable program- 
mable read-only memory (EEPROM) and the invention is 
applicable particularly, but not exclusively to this. 
As far as reading and writing procedures are concerned 
20 EEPROM is generally divided into pages and reading or 
writing is carried out on one page only at a time. It 
can be expected that a transient writing error may 
corrupt the contents of one page but not others. 
Accordingly, it is preferred that the said first and 
25 second regions are on different pages. 

The invention allows the non-volatile memory to 
record whether there is an outstanding write error on 
the device and to take action accordingly when the 
device is used again, on application of a reset sig- 
30 nal . Generally the protocol ISO 7816 is used, which 
governs the nature of reset, answer-to-reset, power 
and clock signals etc. If the fault is transient, the 
reset signal may be applied immediately so that an 
interrupted transaction may be resumed. if not, the 
35 reset signal is applied next time an attempt is made 
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to use the device. Preferably, in accordance with an 
aspect of the invention there is provided a method of 
utilisation of an integrated circuit device to which 
data has been written as described above, the device 
including in the non-volatile memory an application 
program which controls the microprocessor to run a 
particular application under normal circumstances, the 
utilisation method including the step of initially 
reading the said second portion of the non-volatile 
memory to derive write status information therefrom 
and, if the write status information indicates an 
incomplete write operation, by-passing said applica- 
tion program. 

Thus, the action effective when an outstanding 
write error is present on a smart card (for example) 
may be to render the card useless by continued failure 
to run the application program. This is software 
invalidation of the card. Alternatively, a hardware 
invalidation is possible by providing an overload 
current to a fuse link in the card, thus blowing the 
fuse and rendering the card invalid. However, card 
invalidation is wasteful and preferably the method of 
utilisation includes, on detection of an incomplete 
write operation, a procedure of data recovery 
effective to restore the device to a condition in 
which the last data write is correct and the status 
information in the second region of memory reflects 
this. Should the data recovery procedure fail, then 
the above-mentioned software or hardware steps of 
30 invalidating the card may be taken. 

As non-exhaustive examples of the way in which 
the invention may be used, three specific methods are 
proposed . 
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METfiOn 1 

that ?e '"7'^"" "^^^ -"od it xs provided 

volatile memory are allocated ast- 
5 (a) a sequence register which is said second 

region of memory; 

(b) a data copy buffer; 

(c) a size register; and 

(d) an address register 

and allocating a region of RAM or non-volatile 
memory as ,e, a data incremental buffer, the said 
first region of non-volatile memory being 
Tor in si.e and address by data written i 

memory regions (c, and ,d,. the said method of 
15 writing consisting in:- 

ensuring that the buffer ,e, contains a 
valid data increment; 

2. placing a copy of data to be updated in 

the buffer (b) ; 
^° ^- incrementing the register (a); 

4. incrementing the data at 'the first 
region of memory by the amount in buffer (e) 
and writing the incremental amount to the 
first region of memory; and 
^' ^"^""'enting the sequence register (a) 

register ,a) indicates recovery is necessary, consists 

^^La^ti^rt";;: :r- 

operation. P°=^t^on before the faulty write 

METHOp p 

in this method it is provided that respective and 
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separate regions of the non-volatile memory are 



PCT/GB94/0077S 



allocated as:- 

(f) a write in progress flag register, which is 

said second region of memory; 

(g) a workspace pointer register; 
5 (h) a size register; and 

(i) a data pointer register 

and allocating a region of RAM or non-volatile 
memory as (j) a new data pointer register, the 
said first region of non-volatile memory being 
,0 identified in size and position by data written 

in memory regions (g) and (h) , the said method of 
writing consisting in:- 

1. setting a workspace pointer in register 
(g) to the address of non-volatile memory 

^5 workspace sufficient to hold a contiguous 

data set corresponding to a size set in 
register (h) ; 

2. copying to the workspace a copy of new 
data identified in address by the new data 

2Q pointer at (j) and in size by the size data 

at (h); 

3. setting the write in progress flag at 
(f); 

4. setting an address in data pointer 
25 register (i) to the address of the work- 
space; and 

5. clearing the write in progress flag in 
register (f ) . 

Here, the recovery procedure comprises repetition 
30 of the last two steps (4 and 5), since an error would 
indicate that the data pointer register had not been 
properly written. 
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METHOD 3 

in this method it is provided that respective and 
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separate regions of the non-volatile memory are 
allocated as:- 

(k) a state flag register which is said second 

region of memory; 

(1) a size register; 

(m) an address register; and 

(n) an update copy buffer 

the said first region of non-volatile memory 
being identified in size and position by data 
written in registers (1) and (m) , the said method 
of writing consisting in.-- 

1. copying new data to be written into 
buffer (n) ; 

2. setting the state flat in register (k); 

3. writing said new data to be written to 
said first region of non-volatile memory; 
and 

4. clearing the state flag in register (k) . 
Here, new data is typically written directly from 

RAM and a copy is taken for the update copy buffer 
(n). If recovery is required, since it is the new 
data which is held in reserve in (n), the recovery 
procedure copies this to the required address in 
EEPROM (for example) . 

The invention will further be described with 
reference to the accompanying drawings, of which :- 

Figure 1 is a schematic diagram of a smart card 
having EEPROM organised to effect a first method of 
data writing and recovery in accordance with the 
invention; 

Figure 2 is a flow diagram in respect of the 
method used in the card of Figure 1; 

Figure 3 is a schematic diagram similar to Figure 
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1 but in respect of a second method of data writing 
and recovery in accordance with the invention; 

Figure 4 is a flow diagram in respect of the 

second method; 

Figure 5 is a schematic diagram similar to 
Figures 1 and 3 but in respect of a third method of 
data writing and recovery in accordance with the 
invention; and 

Figure 6 is a flow diagram in respect of the 

third method. 

Referring to Figure 1 there is shown a smart card 
1 which has an interface 2 comprising a set of 
contacts 3 for making contact with a terminal unit 4. 
in accordance with the protocol of ISO 7816 the 
terminal unit provides power, clock signals, a reset 
signal and serial data signals to the card. The card 
is an ICC device which includes a microprocessor 5, 
RAM 6, and EEPROM 7. 

The EEPROM 7 is divided into a set of pages 8 and 
is loaded with an operating system program OS, an 
application program AP and has a data region DR which 
holds data which may be read and rewritten. 

A first example of the present invention is 
25 designated METHOD 1, which is for incremental updating 
of data in EEPROM. In accordance with this method 
respective and separate regions of the data region DR 
of EEPROM are allocated as:- 

(a) a sequence register; 

(b) a data copy buffer; 

(c) a size register; and 

(d) an address register. 

A region of RAM is allocated as (e) a data 
incremental buffer, although this could alternatively 
35 be in EEPROM also. 
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Referring now to Figure 2(a) there is shown a 
flow diagram for the writing of data in accordance 
w.th METHOD 1. The steps include: 

1- ensuring that the buffer (e) contains a valid 
data increment (at 9); 

2- identifying the EEPROM data to be updated 
(original data) by reference to the size and 
address registers ,c,. ,d, . ^he original 

location (at 10); 

3.^ copying the original data to buffer (b) (at 
incrementing the sequence register ,a) (at 

5. calculating the new data in RAM by reference 
to the original data and the data in the data 
increment buffer (e, and write the new data back 
to the original location in EEPROM (at 13,- and 

6. Incrementing the register (a) (at 14)! 

EEPROM is such that Its stored data can be 
corrupted If, whilst the content of the EEPROM is 
^erng changed, the power line, or the clock signal are 
interrupted. with the arrangement described above 
data security Is provided by the use of the data copy 
buffer in conjunction with the sequence register. By 
Virtue Of internal write verification procedures it 
can be assumed that if the operating system indicates 
completion of the write procedure ,3 then the written 
information is in order and the sequence register ,a, 
can be updated appropriately. If the write operation 
is interrupted by power line or clock signal 
disruption, for example, then the sequence register 
remains in Its former state which is not appropriate 
35 to the attempted write. 
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in accordance with an aspect of the invention 
there is a check and recovery procedure available when 
the card receives the reset signal at any ti.e 
Figure 2(b) illustrates this. On reset at 15 the 
sequence register is checked at 16 to determine 
Whether a write failure is indicated. If not then the 
application program AP (Figure 1) is executed at 1 7 . 
If failure is indicated then the original data before 
the last attempted write operation, which is held xn 
data copy buffer (b) is copied to the original data 
address (c), (d). This step is shown at 18. The 
situation before the attempted write operation is thus 
restored. 

This method is adapted to a multi-stage operation 
procedure and in practice data will be fed back and 
forth to the terminal by a serial interface m 
multiple stages. The sequence register holds 
information as to the stage in the sequence where 
interruption takes place. If the original 
interconnection to the terminal pertains and the 
operation sequence can be resumed then a re- 
synchronisation procedure takes place and at 19 there 
is a check to determine whether copying/re- 
synchronisation has succeeded. If so then the 
application program AP is run. If not the software 
must decide from the state of the sequence register 
how to re-synchronise the on-card application software 
and the software communicating with the smart card via 
the serial line. If data cannot be retrieved from the 
data copy buffer, and the sequence register indicates 
that this data should be available, then the smart 
card is unusable, as indicated at 20. 

This may be by virtue of continued failure to 
implement the application program or positive steps 
may be taken to invalidate the card as, for example. 
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by blowing an inbuilt fuse. 

The data copy buffer (b) and the data 
increment buffer (e) must both be large enough to hold 
the largest possible data block that will be written 
5 to EEPROM using this method. An extra 5 bytes of 
storage are also required (size = 2 bytes, address = 2 
bytes, sequence register = 1 byte [at least]). If 
size can never be greater than 255, then it can be 
stored in a single byte. 

10 Since the card operates on only one page 8 

(Figure 1 ) at a time in writing, security is enhanced 
by ensuring that separate EEPROM pages (3 in total) 
are used for the data copy buffer, the data 
increment buffer and for the rest of the additional 

15 data. 

Using this method of writing to EEPROM, the 
number of bytes actually written to EEPROM is doubled 
even if a recovery is not invoked (because a copy of 
the original data must be stored in the data copy 

20 buffer before the EEPROM write commences) . The total 
overhead is actually slightly more than this as size, 
address, and sequence register information must also 
be written to EEPROM. 

Referring now to Figure 3 there is shown the 

25 EEPROM configuration for a smart card (otherwise 
similar to that of Figure 1 ) to use a METHOD 2 in 
accordance with the invention. Here respective and 
separate regions of EEPROM (on respective pages 8) are 
allocated as:- 

30 

(f) a write in progress flag register; 

(g) a workspace pointer register; 

(h) a size register; and 

(i) a data pointer register. 
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In RAM there is allocated a region (j) as a new 
data pointer register. Alternatively this may also be 
in EEPROM. 

A flow chart for the writing procedure in METHOD 
5 2 is shown in Figure 4 (a) . This includes the steps 
of : - 

1 . setting a workspace pointer in register (a) 
to the address of a workspace in EEPROM 

IQ sufficient in size to hold a contiguous data set 

corresponding to a size set in register (h) (at 
21 ) ; 

2. copying to the workspace a copy of new data 
in a region in RAM or EEPROM identified in size 

15 by register (h) and in position by register (i) 

(at 22) ; 

3. setting the write in progress flat (f) (at 
23); 

4. setting the address in register (i) to the 
20 workspace address (at 24); and 

5. clearing the write in progress flag in 
register (f ) . 

The check and recovery procedure for METHOD 2 is 
25 shown in Figure 4(b). On reset at 25 the write in 
progress flag is checked at 26. If cleared the 
application program AP is run at 27. If not then the 
last two steps (4 and 5) of the write procedure are 
repeated. Thus, the data pointer (i) is set equal to 
30 the workspace pointer (g) at 28 and the write in 
progress flag (f) is cleared at 29. If this write 
procedure succeeds (check at 30) the program AP is 
executed. If not, then the smart card is unusable (at 
31 ) . 

35 If an area of EEPROM is found where an EEPROM 
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write cannot be completed, then this method readily 
allows the smart card application software to mark 
this area as unusable (permanently), and choose 
another area for data storage. This can greatly 
5 extend the life of the smart card (which will very 
probably be limited by the maximum possible number of 
EEPROM writes that the smart card is capable of 
performing), however this is at the expense of 
maintaining a pointer (a 2 byte overhead) to each data 
10 structure stored in EEPROM. 

Under normal conditions, the Write in Progress 
flag is only set for the time required to update a 
pointer in EEPROM. This is the minimum possible 
theoretical update time, which should help to ensure 
15 that the recovery mechanism is invoked only very 
rarely. This minimises the number of attempted writes 
to EEPROM, and thus extends the life of the smart 
card . 

Each data structure written to EEPROM using this 

20 method will be extended by two bytes, as a pointer to 
the data must be continuously maintained. There is a 
small overhead on each EEPROM read as all data which 
uses this method must be accessed via a pointer. 

The EEPROM pointed to by the Workspace Pointer 

25 must be large enough to hold the largest possible data 
structure that will be written to EEPROM using this 
method. This space is only required until the EEPROM 
write has been successfully completed, at which point 
an equivalent length of EEPROM storage (which used to 

30 contain the original data) is released. An extra 7 
bytes of storage are also required (Write in Progress 
flag = 1 byte. New Data Pointer = 2 bytes. Workspace 
Pointer = 2 bytes. Size = 2 bytes). if Size can never 
be greater than 255, then it can be stored in a single 

35 byte. 



<WO 9424873A1 = 



PCT/GB94/00775 



15 



Using this method of writing to EEPROM, the data 
structure is only written to EEPROM once, but three 
pointers have to be updated (the New Data Pointer, the 
Workspace Pointer and the Data Pointer - in that 
order) . The Size, Address and Sequence Register 
information must also be written to EEPROM. 

Referring now to Figure 5 there is shown EEPROM 
allocation for a METHOD 3 of implementing the 
invention. It is to be understood that the EEPROM of 
Figure 5 is incorporated in a smart card otherwise 
similar to that of Figure 1. In Figure 5, separate 
regions of EEPROM (on separate pages 8) are allocated 
as : - 

(k) a state flag register; 
(1) a size register; 
(m) an address register; and 
(n) an update copy buffer. 

The writing procedure in METHOD 3 is illustrated 
20 in Figure 6(a). The following steps are implemented - 

1. Copy new data into buffer (n) (at 32); 

2. Set state flag (k) (at 33); 

3. Copy the new data to EEPROM region 
identified by size (1) and address (m) (at 34); 

25 and 

4. Clear state flag (k) (at 35). 

The check and recovery procedure illustrated in 
Figure 6(b) has reset at 36, and a check for the 

30 setting of state flag (k) at 37. If the flag is not 
set then application program AP is run at 38. 
Otherwise the new data residing in buffer (n) is 
copied to the region (1), (m) at 39 and the state flag 
(k) is cleared at 40. If successful, the application 

35 program is run. If not, the card is useless (41). 
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larc. r (buffer „, ™„st be 

: e enou.H to store t.e iar.est amount of .ata whXch 
-11 be written to EEPROH. pi.,. 5 bytes (Size = 2 
bytes. M.ress = 2 bytes, state Pla, - , byte, if 
. S..e can never be greater t.an 255, then rt an be 
stored in a single byte. 

Using this method of writing to EEPROM the 
u. er o bytes actually written to EEP.o« rs .oub" 
even if a Recovery is not invoked (because a copy of 
the data ™ust be written to EEPROM,. The total 
overhead is actually slightly „ore than this as sI 
Address ™st also be written to EEPROH 

i™pre:en;e""L;rrt":.'^^^"^''"^= ^-^^ - 
calculating a chrcii^^re:: L^-thTrtris^Tr^^ 

storing this chec.su., and verifying t al i; .s 
corr t ^^^^^^^^^^ ^^^^ th .t 

™ thod used to calculate the error detection chec.L,^ 

indeed" '"'^ °^ ^''^^ document 

indeed so.e s^art cards have error detection processe; 
built rnto the EEPROH hardware, and their part™ 
method Of operation may well not be known. 

An EEPROM wrl t-o i o ^ . 

^jf jjfc! accepted as valid if 
^et ction system verifies that the da ta ^ t^bl:: 

read it J[ " ^^'^^'^^ ^"^"9 - BEPROM 

read, rt probably means that one or more bytes in the 
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smart card's EEPROM have reached the end of their 

"""Llirone of the methods of vrlting to EEPROM 
described above ensure, that error correction (as 
5 opposed to error detection) is not required. Either 
the EEPROM operation takes place successfully, or the 
smart card is unusable. There are no circumstances in 
Which an error needs to be corrected. This simplifies 
the software and reduces the data storage 
,0 requirements, as error correction is computationally 
intensive and requires more dedicated bytes of storage 
than error detection. 

one of the three methods of writing data to 
EEPROM described above (Method Number 1) explicitly 
keeps a counter (Sequence Register) which stores 
knowledge of the last successful operation in the 
series of operations performed during writing to 
EEPROM. Methods 2 and 3 may have, but do not 
explicitly require a counter of this type as they 
,n reply upon flags which hold information showing 
whether or not writing to EEPROM has successfully 
completed. 

Even though a method of writing to EEPROM does 
not always explicitly require a numeric counter, it 
should be clearly noted that in many systems it will 
be necessary to maintain such a counter so that 
interrupted processes of any kind can be restarted. It 
is of course vitally important for this counter to be 
written to EEFROM in a secure manner, as if it is not 
correct it cannot be relied upon by smart card 
application software attempting to restart an 
interrupted process. 
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n an ^^'^ ^° non-vol.tile .e.ory 

.nterfac. for temporary connection to a terminal un.f 

volatile „. th. .etno. consisting In allocating a 
IrZll \ —volatile .e.ory for data to be 

"r.tten allocating a second region of non-volatile 
™ ™ory for write status information, performing a da 

and writing information to said second region 
Signifying a valid data write if, and only if 
^ata write operation is performed satisfactorily 
as J.^T^^ °' -"^""3 -l-ta to non-volatile memory 
di::::;" ";" ' "'^"^ no-volatile memory 

performed ''''' operations are 

performed on only one page at a time, the said first 
nd second regions of memory .eing on different p e 

s clalTed non-volatlle memory 

as claimed in Claim t or Claim 7 ,,>, . 
vol.m. <-laim 2 wherein the non- 

volatile memory is electrically erasable 
read-only memory (EEPROM, Programmable 

^evic: rricTdr::\\^r:Lr„:: -r-- — 
the method of any of cTrim""," t^""::::: 

-eluding in the non-volatile memory an appli I L. 
program which controls the microprocessor to r.' 

r : ^at" —1 Circumstances, h 

"tilisation method including the step of initially 
reading the said second portion of the no„-vo ^ 
m mory to derive write status information theref^ m 
and. If the write status information indicates an 
incomplete write operation k ^^ates an 

35 application program. by-passi„g said 
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5. A .etho. Of utilisation of - ^"--'"^f^^fr" 



10 



15 



c; A metnou ui. uv,^- 

Lice as Claimed in Ciai. . inciuain, o-;-"-- 
an incomplete write operation, a procedure of aata 
recovery effective to restore the device to a 
condition in which the last data write is correct and 
the status information in the second region of memory 

r'^rLrd'of utilisation Of an Integrated circuit 
device as claimed in Claim 5 which includes the step 
Of monitoring the procedure of data recovery ad 
rendering running of the application program 
impossible if the data recovery procedure f-^^ 
, . . method of utilisation of an Integrated crrcuxt 
aevice as claimed in Claim 6 which includes the st p 
of permanently disabling the device if the data 

recovery step fails. -^^^ii- 
8 A method of utilisation of an integrated circuit 
device as claimed in any of Claims 5 to 7 wherein sard 
second region of memory Is a status = 
,„ status information is Indicative of the last 
'° satisfactorily performed stage of a multi-stage 
operation sequence and said data recovery procedure iS 
effective to recover the multi-stage operation 
sequence from the stage at which it failed., as 
indicated by the status register. 

9 A method of utilisation of an integrated circuit 
device as claimed in Claim 8 wherein respective and 
separate regions of the non-volatile memory are 

allocated as:- ^«^^„r=i 

(a) a sequence register which is said second 

region of memory; 

(b) a data copy buffer; 

(c) a size register; and 

(d) an address register 

35 and allocating a region of RAM or non-volatile 
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-mory as ,e, a data incremental b.ffer. the said 
first „9ion of non-volatile memory being identi- 
fied in Size and address by data written in 
memory ^ ^^^^ 

5 writing consisting in.-- 

1. ensuring that the buffer ,e, contains a 
valid data increment; 

the ^'T"' ' """^ °' *° "P^^t^'' 

the buffer (b) ; 

^° ^- incrementing the register (a); 

4- incrementing the data at 'the first 
region of memory by the amount in buffer (e) 
and writing the incremental amount to the 
farst region of memory; and 

10 A n,eth". '"""""^"^^'^^ -<?-nce register (a). 

A method of utili r,r, «^ . 
device as cJ.. ^^'"-^^^^"^^ integrated circuit 

' "^"^ ^^"t region of memory. 
20 1. A method Of utilisation of an integrated circuit 
device as claimed in any of Claims 5 to 7 wherein sad 
second region of memory Is a fl»„ , """^^ ="<3 

sta^us information is a ^l^J w^ilris"::";; Te Ta^: 

.3 ::^t:re"::t^:e:""^^- - - 

12. A method of utiiicai--i ^ 

• utilisation of an integrated circudt 

allocated as : ^ "on-volatile memory are 

'° s!L r ""^'^^^^ '''' -^i^>^ is 

said second region of memory; 

(g) a workspace pointer register; 

(h) a size register; and 

(i) a data pointer register 

and allocating a region of ram or non-volatile 
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memory as (j) a new data pointer register, the 
said first region of non-volatile memory being 
identified in size and position by data written 
in memory regions (g) and (h) , the said method of 
writing consisting in:- 

1 . setting a workspace pointer in register 
(g) to the address of non-volatile memory 
workspace sufficient to hold a contiguous 
data set corresponding to a size set xn 
register (h) ; 

2. copying to the workspace a copy of new 
data identified in address by the new data 
pointer at ( j ) and in size by the size data 
at (h); 

3. setting the write in progress flag at 
(f); 

4. setting an address in data pointer 
register (i) to the address of the 
workspace; and 

5. clearing the write in progress flag in 
register (f ) . 

13 A method of utilisation of an integrated circuit 
device as claimed in Claim 12 wherein the recovery 
procedure comprises the steps of setting the address 
in data pointer register (i) to the address of the 
workspace and clearing the write in progress flag in 
register (f ) • 

14 A method of utilisation of an integrated circuit 
device as claimed in Claim n wherein respective and 
separate regions of the non-volatile memory are 

allocated as-.- 

(k) a state flag register which is said second 

region of memory; 
(1) a size register; 
35 (iT() an address register; and 
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(n) an update copy buffer 

the said first region of non-volatile memory 
be.ng identified in size and position by data 
written in registers (1) and (m) , the said method 
of writing consisting in:- 

1. copying new data to be written into 
buffer (n); 

2. setting the state flat in register (k) ; 

3. writing said new data to be written to 
said first region of non-volatile memory 
and 



4 

1 5 . 



Clearing the state flag in register (k) 
A method of utilisation of an integrated circuit 
device as claimed in Claim 14 wherein the recovery 
15 procedure comprises the steps of copying the contents 
of the update copy buffer (n) to the said first region 
Of non-volatile memory identified by the contents of 
regxsters (l) and (m) and clearing the flag in 
register (k) . ^ 

20 16. An integrated circuit device having an interface 
for temporary connection to a terminal unit- a 
mxcroprocessor; random access memory and non-volatile 
-emory, the non-volatile memory including a program 
for controlling the microprocessor to effect any of 

25 the data writing or utilisation methods as claimed in 
any of the preceding claims. 
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